Last active
March 21, 2020 15:28
-
-
Save stvemillertime/0f715585bfd0a2912fcdcc886d274735 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "pe" | |
| rule ExportEngine_APT41_Loader_Prefix | |
| { | |
| meta: | |
| author = "@stvemillertime" | |
| description = "This looks for a common APT41 Export DLL name in BEACON shellcode loaders, such as loader_X86_svchost.dll" | |
| strings: | |
| $pcre = /loader_[\x00-\x7F]{1,}\x00/ | |
| condition: | |
| uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment